DEDICATED SERVERS: Avoid using shared hosting where possible. Why? Because if any single site on your shared server gets hacked, it can spread to your site also. Most hosts such as Siteground (which we recommend) offer Dedicated or VPS (Virtual Private Servers) at only slightly more cost than shared hosting, and trust us – it’s worth it! In our experience running numerous sites on shared servers over 10 years, WordPress sites on a shared servers can be vulnerable to repeated hacking attempts!
SECURE SOCKET LAYER: Use a secure (https) server vs just http using a SSL certificate (ask your web host). This is becoming the minimum requirement for web hosting, and if you are still on http:, you are pushing your luck at not getting hacked.
PASSWORDS: Ensure all users only use strong passwords (long passwords with upper/lower case, punctuation, numbers etc) and change them as often as possible. This is key, and easy to do, so communicate this to your users. It is also highly recommended that you change your FTP and MySQL database passwords. This should be done right after cleaning up a hacked site and at least every 6 months (you need to update your database password also in your wp-config.php file).
ADMIN ACCESS: Never use “admin” as a username, be sure to change it. Many hackers use software that starts with attempts using this generic “admin” username or even scan the users table in MySQL for an ID of “1”. You can drastically reduce your odds of a hack by switching this.
WP VERSION: Update Your WordPress install to the latest version. WordPress adds security improvements to almost every update, so this is very very important to keep on top of. We recommend that you also configure automatic background updates in WordPress. To do this, go into your wp-config.php file and add define( ‘WP_AUTO_UPDATE_CORE’, true ); at the bottom, which auto-updates your WordPress version. to the latest. You can also replace true with ‘minor’ to only update for minor security updates vs major updates which can sometimes throw off themes or plugins.
PLUGINS: Deactivate and delete any unused plugins and themes. The more code running that isn’t updated on your server adds risk to your site being hacked.
SECURITY: Install a site scanning plugin such as WordFence. This is a free plugin and widely used by literally tens of millions of sites already. They are the gold standard currently. I used them recently on a non-profit website I run and it identified a URL injection attack on an outdated version of WordPress. WordFence showed the specific files which were the issue (wp-config.php was modified and wp-includes/init.php was added) by identifying code found in similar recent attacks. Another scan from a malware detection service missed this same issue.
BACKUPS: Install a site backup plugin such as UpdraftPlus. This is also critical, and a really good plugin with currently over 6 million downloads, a 4.9 star rating on WordPress.org and one of the top 25 most downloaded plugins. We like this one also becase it will prompt you to backup your site prior to updating any plugin or theme.
HTACCESS: Add an index.php or .htaccess file to any directory with data you want to protect. Htaccess files are a great way to block problem countries or IP addresses from accessing your WordPress site.
KEEP CURRENT: Have you updated all of your plugins, themes and WordPress core? This is essential to minimizing security risks!